Securing Your MonoRouter Instance: API Keys, HTTPS, and Access Control
MonoRouter sits between your code and Claude. Here's how to lock it down so only authorized users can route through your sessions.
MonoRouter gives your Claude subscription an API-like interface. That's powerful — and it means security matters. If someone gets access to your MonoRouter endpoint, they can use your Claude sessions.
API Key Authentication
Every MonoRouter instance requires an API key for access. When you create an account, you get a unique API key that you set as your ANTHROPIC_API_KEY in your SDK configuration. MonoRouter validates this key on every request.
Your MonoRouter API key is not your Anthropic API key. It's a separate credential that MonoRouter uses to authenticate you. Your actual Claude sessions are managed server-side and never exposed to clients.
Configuring Your API Key
Set it as an environment variable so it's never hardcoded in your source:
# In your shell profile (~/.zshrc, ~/.bashrc)
export ANTHROPIC_API_KEY="mr_live_abc123"
export ANTHROPIC_BASE_URL="https://api.monorouter.dev/v1"
For project-level configuration, use a .env file and add it to .gitignore:
# .env (never commit this file)
ANTHROPIC_API_KEY=mr_live_abc123
ANTHROPIC_BASE_URL=https://api.monorouter.dev/v1
# .gitignore
.env
.env.local
.env.*.local
Per-Platform Best Practices
macOS / Linux — Use your shell profile or a tool like direnv for per-directory env vars:
# .envrc (auto-loaded by direnv when you cd into the project)
export ANTHROPIC_API_KEY="mr_live_abc123"
export ANTHROPIC_BASE_URL="https://api.monorouter.dev/v1"
CI/CD (GitHub Actions) — Store credentials as encrypted secrets:
env:
ANTHROPIC_API_KEY: ${{ secrets.MONOROUTER_KEY }}
ANTHROPIC_BASE_URL: https://api.monorouter.dev/v1
Docker — Pass environment variables at runtime, never bake them into the image:
# Don't do this:
# ENV ANTHROPIC_API_KEY=mr_live_abc123
# Do this at runtime:
# docker run -e ANTHROPIC_API_KEY=mr_live_abc123 myapp
Verifying Your Key Works
Quick check from the command line:
curl -s https://api.monorouter.dev/v1/messages \
-H "x-api-key: $ANTHROPIC_API_KEY" \
-H "content-type: application/json" \
-H "anthropic-version: 2023-06-01" \
-d '{
"model": "claude-sonnet-4-20250514",
"max_tokens": 32,
"messages": [{"role": "user", "content": "Say hello"}]
}'
A 200 response means you're authenticated and routing through MonoRouter. A 401 means the key is invalid or missing.
HTTPS by Default
MonoRouter's hosted service runs over HTTPS with TLS 1.3. All communication between your SDK and MonoRouter is encrypted in transit. There's no option to use plain HTTP — we enforce HTTPS at the infrastructure level.
This means your prompts, responses, and API keys are encrypted on the wire. Even on a shared network, an attacker can't sniff your Claude conversations.
Session Isolation
Each MonoRouter account has its own session pool. Your sessions are never shared with other users. When you connect a Claude account to MonoRouter, only requests authenticated with your API key can use that session.
Recovery Codes
Your MonoRouter account is protected by a password and a set of recovery codes. Recovery codes are generated at signup and are the only way to regain access if you lose your password. We don't store your recovery codes — we store bcrypt hashes. Keep the originals safe.
Store your recovery codes securely:
MonoRouter Recovery Kit
========================
Account email: [email protected]
Generated: 2026-03-15
Recovery codes (each single-use):
mrr-a1b2-c3d4
mrr-e5f6-g7h8
mrr-i9j0-k1l2
mrr-m3n4-o5p6
mrr-q7r8-s9t0
mrr-u1v2-w3x4
Store in: password manager, printed copy in safe
Do NOT store in: plain text files, email, Slack messages
What We Don't Store
MonoRouter doesn't log your prompts or Claude's responses. We store metadata for rate limiting and usage tracking — timestamps, token counts, model names — but never the content of your conversations. Your intellectual property stays between your code and Claude.
Here's what we do and don't retain:
| Data | Stored? | Purpose |
|---|---|---|
| Prompt content | No | — |
| Response content | No | — |
| Model name | Yes | Usage analytics |
| Token counts | Yes | Quota tracking |
| Request timestamps | Yes | Rate limiting |
| API key (hashed) | Yes | Authentication |
| Password (hashed) | Yes | Authentication |
| Recovery codes (hashed) | Yes | Account recovery |